Cold Boot Attack Utilities Released At HOPE Conference

An anonymous reader writes "Jacob Appelbaum, one of the security researchers who worked on the cold boot attacks to recover encryption keys from memory even after reboot, has announced the release of the complete source code for the utilities at The Last HOPE in New York City. The hope (obligatory pun) is that the release of these tools will help to improve awareness of this attack vector and enable the development of countermeasures and mitigation techniques in both software and hardware. The full research paper (PDF) is also available."

There are some ways to minimize the problem

[Psionicist]

The way I see this, you should simply not store keys in memory (that is have your encrypted file system mounted) when you not need access to the files. A correct program will overwrite the keys when the file system is dismounted.

The purpose of full disk encryption (or system encryption in TrueCrypt is), in my opinion, not meant as a "one password to protect everything". It's just an extra measure to secure temporary files, the swap file and other tracks the OS and applications may spread around. You should still encrypt your really secret files separately, and use basic precautions such as secure file erasure when you've used them.

That said, I still don't think this attack is so important. If you have the file system mounted, and an attacker gains access to your computer, the files are already there!

because the fix would have to be in-hardware

[Animaether]

and not just the machine hardware, but rather the RAM stick itself.

Essentially the exploit relies on data that is in RAM to still exist, even if it's just for a few seconds, if you take it out of the machine.

You could add a 'write random crap to RAM' thing to your shutdown procedure, but that won't help if they simply power the machine off.
The machine hardware could write random crap to RAM when it is powered down, but that won't help if they simply yank the RAM stick out while the machine is still running.

So the RAM stick itself would have to detect that it is no longer connected to any motherboard and, using a charge kept in a capacitor, for example, flash itself with random crap.. or whatever.

Keep in mind that this 'exploit' is quite difficult to execute, requiring not just physical access to the machine - but to the RAM. While the machine is running (or was running within the last N seconds, at least). In the vast majority of environments, that's going to be extremely difficult.. unless you own (or operate) that machine and you have no particular way of being caught.

Re:Memory wiper?

[jonbryce]

You cool the chips down in the running computer with a spray duster, pull them out, and put them in a computer that you control.

No software solution can be used to stop you doing this, it has to be a hardware based solution.

Capturing machines with full disk encryption

[Animats]

Here's the existing approach to this problem.

1. Send in SWAT team. Stop user from turning off computer.
2. Bring in HotPlug kit and UPS.
3. Plug "Mouse Jiggler" into USB port to keep no-activity timeout from causing logout.
4. Turn on UPS.
5. Plug HotPlug unit into UPS.
6. Plug HotPlug unit output plug (a male plug which is a power output) into power strip, or, if necessary, remove wall outlet plate and connect clamp-on connectors to hot wires.
7. Unplug power strip from line power. HotPlug unit will switch in power from UPS.
8. Plug power strip into UPS. HotPlug unit will recognize this and deenergize its output plug.
9. Unplug HotPlug output plug and input plug. Computer is now running entirely on UPS.
10. Carry computer and UPS to forensics lab before UPS battery runs down.
11. Plug in UPS to keep battery charged.
12. Access disk as desired.